Could you please give the board an update about recent changes in CVE
entries? Three things jumped out on the latest batch:

1. The lack of a proper product name (e.g. CVE-2017-6478, CVE-2017-6479,
CVE-2017-6480)
2. The use of arbitrary date-based "versions" that are not in line with
the vendor versions. We usually see this with low-end researchers
trying to pass off site-specific issues as products and using a date
as
the version (e.g. CVE-2017-6479)
3. An apparent change in abstraction rule where five IDs were assigned
for XSS issues that previously would have received one ID (e.g.
CVE-2017-6487, CVE-2017-6488, CVE-2017-6489, CVE-2017-6490, and
CVE-2017-6491). It appears the only reason you abstracted is that
different bug tracker tickets were opened, despite the same version
being impacted, same researcher, same date, etc.

The first issue is just odd, and seems like someone was in a hurry, but
this is problematic to sites using CVE data to generate stats, as the
product names potentially don't match prior entries. I also noticed that
whoever made these recent entries didn't include the obvious fixing
commits that were referenced in the bug tickets. Basically, just sloppy
work.

The second one is very concerning, because yeah. I shouldn't have to
elaborate on that one.

The third one just seems to break a long-standing abstraction policy. I
have a feeling the "different tickets" will be the justification as
mentioned above, but also fairly certain that multiple mail list posts
(e.g. Bugtraq or Full-Disclosure) from the same person on the same date
affecting the same version of the same product didn't warrant splits
before.

Any clarity on policy changes regarding these issues would be
appreciated.
.b